b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n  PERFORMANCE INDICATOR AUDIT:\n     CONTINUING ELIGIBILITY\n\n\n  October 2005    A-15-05-15115\n\n\n\n\n AUDIT REPORT\n\x0c                                     Mission\n\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                    Authority\n\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                      Vision\n\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                     SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:   October 4, 2005                                                         Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Performance Indicator Audit: Continuing Eligibility (A-15-05-15115)\n\n\n\n        We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 16 of the Social\n        Security Administration\xe2\x80\x99s performance indicators established to comply with the\n        Government Performance and Results Act. The attached final report presents the\n        results of two of the performance indicators PwC reviewed. For each performance\n        indicator included in this audit, PwC\xe2\x80\x99s objectives were to:\n\n           \xe2\x80\xa2   Assess the effectiveness of internal controls and test critical controls over the\n               data generation, calculation, and reporting processes for the specific\n               performance indicator.\n           \xe2\x80\xa2   Assess the overall reliability of the performance indicator\xe2\x80\x99s computer processed\n               data. Data are reliable when they are complete, accurate, consistent and are not\n               subject to inappropriate alteration.\n           \xe2\x80\xa2   Test the accuracy of results presented and disclosed in the Fiscal Year 2004\n               Performance and Accountability Report.\n           \xe2\x80\xa2   Assess if the performance indicator provides a meaningful measurement of the\n               program it measures and the achievement of its stated objective.\n\n        This report contains the results of the audit for the following indicators:\n\n           \xe2\x80\xa2   Supplemental Security Income nondisability redeterminations.\n           \xe2\x80\xa2   Periodic continuing disability reviews processed.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\nPlease provide within 60 days a corrective action plan that addresses each\nrecommendation. If you wish to discuss the final report, please call me or have your\nstaff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n(410) 965-9700.\n\n\n\n\n                                               S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\nAttachment\n\x0cMEMORANDUM\n\nDate:     August 17, 2005\n\nTo:       Inspector General\n\nFrom:     PricewaterhouseCoopers, LLP\n\nSubject: Performance Indicator Audit: Continuing Eligibility (A-15-05-15115)\n\n\n\nOBJECTIVE\nThe Government Performance and Results Act (GPRA)1 of 1993 requires the Social\nSecurity Administration (SSA) to develop performance indicators that assess the\nrelevant service levels and outcomes of each program activity.2 GPRA also calls for a\ndescription of the means employed to verify and validate the measured values used to\nreport on program performance.3\n\nOur audit was conducted in accordance with generally accepted government auditing\nstandards for performance audits. For the performance indicators included in this audit,\nour objectives were to:\n\n          1. Assess the effectiveness of internal controls and test critical controls over the\n             data generation, calculation, and reporting processes for the specific\n             performance indicator.\n\n          2. Assess the overall reliability of the performance indicator\xe2\x80\x99s computer\n             processed data. Data are reliable when they are complete, accurate,\n             consistent and are not subject to inappropriate alteration.4\n\n          3. Test the accuracy of results presented and disclosed in the\n             Fiscal Year (FY) 2004 Performance and Accountability Report (PAR).\n\n          4. Assess if the performance indicator provides a meaningful measurement of\n             the program it measures and the achievement of its stated objective.\n\n1\n Public Law No. (Pub. L. No.) 103-62, 107 Stat. 285 (codified as amended in scattered sections of\n5 United States Code (U.S.C.), 31 U.S.C. and 39 U.S.C.).\n2\n    31 U.S.C. \xc2\xa7 1115(a)(4).\n3\n    31 U.S.C. \xc2\xa7 1115(a)(6).\n4\n    GAO-03-273G Assessing Reliability of Computer Processed Data, October 2002, p. 3.\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                                 1\n\x0cBACKGROUND\nWe audited the following performance indicators as stated in the SSA FY 2004 PAR:\n\n         Performance                                            FY 2004 Reported\n             Indicator                      FY 2004 Goal             Results\n    Supplemental Security\n    Income (SSI) Non-\n                                               2,210,000              2,278,566\n    Disability\n    Redeterminations (RZ)\n    Periodic Continuing\n    Disability Reviews                         1,537,000              1,604,680\n    (CDR) Processed\n\nSSA administers two disability programs: the Disability Insurance (DI) program,\nauthorized by Title II of the Social Security Act,5 and the SSI program, authorized by\nTitle XVI of the Social Security Act. 6 The DI program provides income for eligible\nworkers who have qualifying disabilities and for eligible members of their families before\nthey reach retirement age.7 The SSI Program is a needs-based program that provides\nor supplements the income of aged, blind, and/or disabled individuals with limited\nincome and resources.8 SSA periodically performs reassessments of SSI beneficiaries\xe2\x80\x99\nnonmedical factors (SSI Non-Disability Redeterminations) as well as reassessments of\nDI and SSI beneficiaries\xe2\x80\x99 disability factors (Periodic CDRs) to determine ongoing benefit\neligibility.\n\nSSI RZs are post-eligibility reviews of SSI nonmedical factors, such as income,\nresources and living arrangements. This information is used to determine beneficiaries\xe2\x80\x99\nfinancial eligibility for continued payment. RZs are scheduled based on the likelihood of\nchanges in circumstances that may affect the payment amount. Unscheduled RZs are\ncompleted on an \xe2\x80\x9cas needed\xe2\x80\x9d basis and are triggered when SSA learns of certain\nchanges in circumstances that could affect the continuing SSI payment amount.\n\nSSA completes periodic DI and SSI CDRs to determine if a disabled individual\ncontinues to be medically eligible to receive benefits. Periodic CDRs are required at a\nminimum of every 3 years9 unless SSA has determined the disability was classified as\n\n\n5\n    Social Security Act, \xc2\xa7\xc2\xa7 201-234, 42 U.S.C. \xc2\xa7\xc2\xa7 401-434.\n6\n    Social Security Act, \xc2\xa7\xc2\xa7 1601-1637, 42 U.S.C. 1381-1383f.\n7\n    http://www.ssa.gov/OP_Home/ssact/title02/0200.htm.\n8\n    http://www.ssa.gov/OP_Home/ssact/title16b/1601.htm.\n9\n    Social Security Act, \xc2\xa7 221(i), 42 U.S.C. \xc2\xa7 421(i).\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                       2\n\x0cpermanent, or the beneficiary has enrolled in the Ticket to Work program.10 Periodic\nCDRs are conducted by questionnaire (mailer) or by a medical re-examination of the\nbeneficiaries\xe2\x80\x99 disability.\n\nRESULTS OF REVIEW\nWe found that SSA does not have adequate internal controls over the processes used\nto secure and report the performance data used in the performance indicator \xe2\x80\x9cSSI Non-\nDisability Redeterminations.\xe2\x80\x9d Specifically, there were a number of weaknesses found in\nthe configuration of the Title XVI Datawarehouse.11 As a result, we were unable to\nconclude that the performance data was reliable. For the indicator \xe2\x80\x9cPeriodic Continuing\nDisability Reviews (CDR) Processed,\xe2\x80\x9d we were able to recalculate the indicator using\nsummary data, but we could not verify the accuracy of the summary data. As a result,\nPricewaterhouseCoopers, LLP (PwC) was unable to validate the accuracy of the\nreported indicator results.\n\nWe did not identify any significant exceptions related to the accuracy of presentation or\ndisclosure of the information related to these indicators contained in the PAR, or to the\nmeaningfulness of these indicators.\n\nSSI Non-Disability Redeterminations\n\nIndicator Background\n\nSSI Nondisability RZs are selected based on the date of the beneficiaries\xe2\x80\x99 last RZ and\nthe categorization of beneficiaries into high, middle or low error profiles.12 The selected\nbeneficiaries are tracked in the Post-Entitlement Operational Data Store (PEODS). The\nRZ data is updated in the Supplemental Security Record (SSR), which is the master\nrecord for SSI beneficiaries.\n\nRZs are completed at the field offices (FO) and the Wilkes-Barre Data Operations\nCenter (WBDOC). Claims representatives (CR) at the FO perform high-error profile\nRZs through face-to-face or telephone interviews. SSA requests that the beneficiaries\nbring financial documentation to the interviews, such as rent receipts or bank records.\nDuring the interview, the CR inputs any changes to the beneficiaries\xe2\x80\x99 nonmedical factors\nvia the Modernized Supplemental Security Income Claims System (MSSICS). MSSICS\nupdates the SSR with changes to the beneficiaries\xe2\x80\x99 nonmedical factors. The SSR\nprovides data to PEODS to update the status of the RZ once it is completed.\n\n\n\n10\n     Ticket to Work and Work Incentives Improvement Act of 1999, Pub. L. No. 106-170.\n11\n     The Tile XVI Datawarehouse is an Oracle database running on a UNIX server.\n12\n     Program Operations Manual System: OS 03513.001 Redeterminations \xe2\x80\x93 General.\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                      3\n\x0cMiddle-error and low-error profile RZs are reviewed by records processing clerks at the\nWBDOC. Beneficiaries are mailed forms to complete and return to the WBDOC. The\nreturned forms are manually reviewed for completeness at the WBDOC. During the\nmailer reviews, the records processing clerk inputs changes. If \xe2\x80\x9cno change\xe2\x80\x9d is indicated\non the form, a completion indicator is posted to the SSR. The SSR provides data to\nPEODS to update the status of the RZ once it is completed.\n\nOn a weekly basis, PEODS transfers the composite high, middle and low RZ data to the\nTitle XVI Datawarehouse. Once a month, the Division of Cost Analysis reviews the RZ\ndata maintained in the Title XVI Datawarehouse and provides the RZ information to the\nOffice of Strategic Management. The year-to-date total of the completed RZs is\nrecorded in the PAR. Refer to the formula below:\n\n\n                                                      Total Completed RZs for the period\n      Total SSI Non-Disability RZs              =     of October 1, 2003 to\n        Processed for FY 2004\n                                                      September 24, 2004\n\n\nFindings\n\nInternal Controls and Data Reliability\n\nOur review of the Title XVI Datawarehouse UNIX system and Oracle database identified\nseven security and compliance exceptions. This review was conducted against the\nSSA developed UNIX Risk Model configuration standard (which establishes baseline\nconfiguration requirements for all production SSA UNIX servers), the SSA Security\nHandbook, National Institute of Standards and Technology (NIST) guidelines, and the\nDefense Information Systems Agency (DISA) Security Technical Implementation\nGuides (STIG). We identified two exceptions to the requirements of the SSA UNIX Risk\nModel and three exceptions to the existing Government guidelines from NIST and the\nDISA UNIX STIGs.13 We identified one exception to the requirements of the SSA\nSecurity Handbook. During our review of the Oracle database, we were informed by\nSSA management that SSA has not documented a configuration standard (risk model)\nfor the Oracle database environment. The lack of a documented configuration standard\nincreases the risk that the database environment will not be consistently configured to\n\n13\n     During the review, the following NIST and DISA guidelines were used:\n\n      \xe2\x80\xa2   NIST Interagency Reports 5153 Section 3.2.2 #11: Government standards state, \xe2\x80\x9cEach resource\n          delivered with the system shall have the most restrictive access rights possible to permit the\n          intended use of that resource.\xe2\x80\x9d\n      \xe2\x80\xa2   DISA UNIX Security Technical Implementation Guide, Version 4R4, Release 15 January 2005\n          Section 3.8.1 G201.\n      \xe2\x80\xa2   NIST Special Publications 800-18 Guide for Developing: Security Plans for Information\n          Technology Systems, Section 6.MA.2.\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                                   4\n\x0cmeet minimum security requirements established in the SSA Security Handbook.\nAdditionally, SSA cannot ensure that the steps required to restrict access, prevent data\nloss, and detect unauthorized activity are consistently completed by system\nadministrators when installing, configuring, upgrading, or maintaining a database.\n\nThe Government Accountability Office\xe2\x80\x99s (GAO) guide, Assessing the Reliability of\nComputer-Processed Data, states that for data to be considered reliable it must not be\nsubject to inappropriate alteration. As a result of these security issues, the data used to\ncalculate this performance indicator could not be considered reliable as the environment\ndid not provide an appropriate level of control to prevent inappropriate alteration of the\ndata.\n\nPeriodic Continuing Disability Reviews Processed\n\nIndicator Background\n\nPeriodic CDRs are conducted through full medical reviews or beneficiary completed\nquestionnaires (mailers). The type of CDR to be completed is determined by the\nbeneficiaries\xe2\x80\x99 probability of medical improvement. Beneficiaries with a high probability\nof medical improvement receive a full medical review CDR.\n\nA CDR begins when an FO receives an alert to review a beneficiary\xe2\x80\x99s case folder which\ncontains background and medical information on the beneficiary to determine if a full\nmedical CDR should be performed. The FO is able to determine the need for a full\nmedical CDR, based on SSA policy. If unable to readily make that decision, it is\ntransferred to the State Disability Determination Services (DDS). The folders identified\nfor full medical CDRs are also transferred to DDS for medical adjudication. The DDS\ndisability adjudicator reviews the folder to determine if a full medical CDR should be\nperformed. If a full medical CDR is not performed, the beneficiary\xe2\x80\x99s record is updated in\nthe Disability Control File (DCF) and the case is not included in the performance\nindicator count.\n\nWhen a full medical CDR is completed by the DDS the determination of \xe2\x80\x9ccontinuance,\xe2\x80\x9d\n\xe2\x80\x9ccessation,\xe2\x80\x9d or \xe2\x80\x9cno decision\xe2\x80\x9d is input into the National Disability Determination Services\nSystem (NDDSS). NDDSS transfers this data to the Disability Operational Data Store\n(DIODS). DIODS produces the State Agency Operations Report (SAOR) on a monthly\nbasis and at the end of the year. The year-to-date total of the completed full medical\nCDRs is reported on the SAOR report. Refer to the following formula:\n\n\n                                                       Total recorded medical CDRs less\n Total full medical CDRs processed               =\n                                                       work issue CDRs 14\n\n14\n  A work issue CDR is an unscheduled full medical review that is performed to evaluate the beneficiary\xe2\x80\x99s\nmedical eligibility as a result of earnings being posted to the Master Earnings File against a beneficiary\xe2\x80\x99s\nrecord. Since these are not periodic CDRs, they are not included in the count.\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                                       5\n\x0cCDR mailers are performed for beneficiaries that have a low probability of medical\nimprovement. These beneficiaries are identified through profiling. Profiling is the\nprocess in which the Office of Disability Determinations (ODD) ranks all Title II and Title\nXVI recipients based on the probability of cessation. The mailer forms request\ninformation about the beneficiaries\xe2\x80\x99 medical improvement, recent education or training,\nand recent attempts to work or return to work. CDR mailers are tracked within the\nOffice of Disability and Income Security Programs.\n\nBeneficiaries return completed CDR mailers to the WBDOC. The WBDOC reviews the\nmailers for completeness and creates a data file to capture relevant information. The\ndata file is sent to the Office of Continuing Disability Reviews Support (OCDRS) to\nprocess using the beneficiary\xe2\x80\x99s mailer responses. The possible outcomes for the mailer\nCDRs are:\n\n   \xe2\x80\xa2   Deferred for a full medical review;\n   \xe2\x80\xa2   Full medical review;\n   \xe2\x80\xa2   Administrative closure; or\n   \xe2\x80\xa2   Processing Center review.\n\nODD updates the DCF to reflect the results of the OCDRS processing and completion\nof the CDR mailers. Only completed CDR mailers that have been deferred for a full\nmedical review are included in the performance measure count.\n\n\n                                                  Total completed CDR mailers that\nTotal completed CDR mailers                 =     have been deferred for Full Medical\n                                                  Review\n\n\nThe CDR Mailer Deferrals report produces the total deferred CDR mailers completed on\na monthly basis. The year-to-date total of the completed full medical CDRs on the\nreport is combined with the year-to-date total of the deferred CDR mailers and is\nrecorded in the PAR.\n\n\n                                                  Total full medical CDRs processed\n                                                  for the period of October 1, 2003 to\nTotal fiscal year-to-date CDRs              =\n                                                  September 24, 2004 plus the total\nprocessed\n                                                  completed CDR mailers for the\n                                                  period of October 1, 2003 to\n                                                  September 24, 2004\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                       6\n\x0cFindings\n\nWe were able to recalculate the indicator using summary data from DIODS, but we\ncould not verify the accuracy of the summary data. The DIODS data used to classify\nthe full medical reviews as complete was not archived and maintained. SSA\nmanagement stated that the detailed data was not maintained due to limited data\nstorage space. As a result, PwC was unable to validate the accuracy of the reported\nindicator results. The Agency brought to our attention that it is considering alternative\nmeans to address this finding, e.g. providing a year-to-date DIODS snapshot. We\nacknowledge SSA\xe2\x80\x99s efforts to address this finding; however, as the proposed\nalternatives were not in place during the period of our audit, we were unable to verify or\ntest the accuracy of data provided by these alternatives.\n\nWe did not identify any significant exceptions related to the accuracy of presentation or\ndisclosure of the information related to this indicator contained in the PAR, or to the\nmeaningfulness of this indicator.\n\nCONCLUSION AND RECOMMENDATIONS\n\nSpecific to the performance indicator, \xe2\x80\x9cSSI Non-Disability Redeterminations,\xe2\x80\x9d we\nrecommend SSA:\n\n   1. Ensure that the Title XVI Datawarehouse UNIX system is configured to be in\n      compliance with the SSA Risk Model and Government guidelines from NIST and\n      DISA.\n   2. Ensure that the Title XVI Datawarehouse Oracle database is configured to be in\n      compliance with the SSA Security Handbook.\n   3. Create a risk model for the Oracle database that is in compliance with the SSA\n      Security Handbook and Government guidelines.\n\nSpecific to the performance indicator, \xe2\x80\x9cPeriodic CDRs processed,\xe2\x80\x9d we recommend SSA:\n\n   4. Maintain the detailed data used to calculate the performance indicator results\n      that are reported in the PAR or provide alternate means to ensure that the data is\n      auditable.\n\nAGENCY COMMENTS\n\nSSA generally agreed with one recommendation, neither agreed nor disagreed with\nanother recommendation, and disagreed with two recommendations. Although SSA\nstated they could neither agree nor disagree with recommendation 2, SSA discussed\nsteps taken to address the risk presented by this issue. For recommendation 3, SSA\ndisagreed and stated that the risk models target operating systems, not databases. For\nrecommendation 4, SSA disagreed and stated that system capacity and limited\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                      7\n\x0cresources would prevent them from full implementation of this recommendation. The\nfull text of SSA\xe2\x80\x99s comments can be found in Appendix D.\n\nPWC RESPONSE\nIn response to the Agency\'s general comment related to the accuracy of the data used\nto calculate the performance indicator results, for the indicator "SSI Non-Disability\nRedeterminations," GAO\xe2\x80\x99s guide, Assessing the Reliability of Computer-Processed\nData, states that for data to be considered reliable it must not be subject to\ninappropriate alteration. As a result of the security issues addressed in this report, the\ndata used to calculate this performance indicator could not be considered reliable as the\nenvironment did not provide an appropriate level of control to prevent inappropriate\nalteration of the data. For the indicator "Periodic Continuing Disability Reviews\nProcessed," the DIODS data used to classify the full medical reviews as complete was\nnot archived and maintained. As a result, PwC was unable to validate the accuracy of\nthe reported indicator results.\n\nIn response to recommendation 1, we believe the approach that SSA has taken to\naddress the risk presented by this finding is appropriate. For recommendations 2 and 3,\nsince completion of the field work for this audit, SSA has created an ORACLE standard\nconfiguration risk model that defines SSA\'s security guidelines for implementation of\nORACLE databases. For recommendation 4, one of the objectives of the GPRA audit is\nto ensure the accuracy of results reported in the PAR for each of the indicators under\naudit. We are willing to discuss any alternate methods the Agency is considering to\nensure that the indicator results are auditable. However, SSA is responsible for\nmeeting the requirements of OMB Circular A-123, Management Accountability and\nControl, which states, "\xe2\x80\xa6documentation for transactions, management controls, and\nother significant events must be clear and readily available for examination."15\n\n\n\n\n15\n     OMB Circular A-123, Appendix II, Establishing Management Controls, June 21, 1995.\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                      8\n\x0c                                             Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Process Flowcharts\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)\n\x0c                                                                      Appendix A\nAcronyms\nCDR                  Continuing Disability Review\nCR                   Claims Representative\nDCA                  Division of Cost Analysis\nDCF                  Disability Control File\nDDS                  Disability Determination Services\nDI                   Disability Insurance\nDIODS                Disability Operational Datastore\nDISA                 Defense Information Systems Agency\nFO                   Field Office\nFY                   Fiscal Year\nGAO                  Government Accountability Office\nGPRA                 Government Performance and Results Act\nMSSICS               Modernized Supplemental Security Income Claims Systems\nNCC                  National Computer Center\nNDDSS                National Disability Determination Services System\nNIST                 National Institute of Standards and Technology\nOCDRS                Office of Continuing Disability Review Support\nODD                  Office of Disability Determinations\nOEEAS                Office of Earnings, Enumerations and Administrative Systems\nPAR                  Performance and Accountability Report\nPC                   Processing Center\nPEODS                Post-Entitlement Operational Data Store\nPub. L. No.          Public Law Number\nPwC                  PricewaterhouseCoopers, LLP\nRZ                   Redetermination\nRZ SDO               Redetermination Service Delivery Objective Report\nSAOR                 State Agency Operations Report\nSSA                  Social Security Administration\nSSI                  Supplemental Security Income\nSSR                  Supplemental Security Record\nSTIG                 Security Technical Implementation Guides\nU.S.C.               United States Code\nWBDOC                Wilkes-Barre Data Operations Center\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)\n\x0c                                                                      Appendix B\nScope and Methodology\nWe updated our understanding of the Social Security Administration\xe2\x80\x99s (SSA)\nGovernment Performance and Results Act (GPRA) processes. This was completed\nthrough research and inquiry of SSA management. We also requested SSA to provide\nvarious documents regarding the specific programs being measured as well as the\nspecific measurement used to assess the effectiveness and efficiency of the related\nprogram.\n\nThrough inquiry, observation, and other substantive testing, including testing of source\ndocumentation, we performed the following:\n\n   \xe2\x80\xa2   Reviewed prior SSA, Government Accountability Office, Office of the Inspector\n       General and other reports related to SSA\xe2\x80\x99s GPRA performance and related\n       information systems.\n   \xe2\x80\xa2   Met with the appropriate SSA personnel to confirm our understanding of the\n       performance indicator.\n   \xe2\x80\xa2   Flowcharted the process. (See Appendix C).\n   \xe2\x80\xa2   Tested key controls related to manual or basic computerized processes (e.g.,\n       spreadsheets, databases, etc.).\n   \xe2\x80\xa2   Conducted and evaluated tests of the automated and manual controls within and\n       surrounding each of the critical applications to determine whether the tested\n       controls were adequate to provide and maintain reliable data to be used when\n       measuring the specific indicator.\n   \xe2\x80\xa2   Identified attributes, rules, and assumptions for each defined data element or\n       source document.\n   \xe2\x80\xa2   Recalculated the metric or algorithm of key performance indicators to ensure\n       mathematical accuracy.\n   \xe2\x80\xa2   For those indicators with results that SSA determined using computerized data,\n       we assessed the completeness and accuracy of that data to determine the data\'s\n       reliability as it pertains to the objectives of the audit.\n\nAs part of this audit, we documented our understanding, as conveyed to us by Agency\npersonnel, of the alignment of the Agency\xe2\x80\x99s mission, goals, objectives, processes, and\nrelated performance indicators. We analyzed how these processes interacted with\nrelated processes within SSA and the existing measurement systems. Our\nunderstanding of the Agency\xe2\x80\x99s mission, goals, objectives, and processes were used to\ndetermine if the performance indicators appear to be valid and appropriate given our\nunderstanding of SSA\xe2\x80\x99s mission, goals, objectives and processes.\n\nWe followed all performance audit standards in accordance with generally accepted\ngovernment auditing standards. In addition to the steps noted previously, we\nspecifically performed the following to test the indicators included in this report:\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                    B-1\n\x0cSUPPLEMENTAL SECURITY INCOME REDETERMINATIONS\n\n   \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n       accuracy and completeness of the data related to the following areas:\n          9 Completed application control review over the Title XVI Datawarehouse.\n          9 Completed reviews for the Title XVI Datawarehouse UNIX system and\n             ORACLE database.\n   \xe2\x80\xa2   Recalculated the Supplemental Security Income redeterminations for the Fiscal\n       Year (FY) 2004 and compared it to the number reported in the Performance\n       Accountability Report.\n\nPERIODIC CONTINUING DISABILITY REVIEWS PROCESSED\n\n   \xe2\x80\xa2   Audited the design and effectiveness of the SSA internal controls and the\n       accuracy and completeness of the data related to the following areas:\n            9 Observed the Continuing Disability Review (CDR) mailer process at the\n              Wilkes-Barre Data Operations Center (WBDOC).\n            9 Completed application control review over Disability Operational Datastore\n              (DIODS).\n   \xe2\x80\xa2   Determined the adequacy of the programming logic used by SSA to calculate the\n       full medical reviews processed.\n   \xe2\x80\xa2   Recalculated the Title II and Title XVI CDR mailers processed for FY 2004 and\n       compared it to the Title II and Title XVI CDR mailers processed for the year.\n   \xe2\x80\xa2   Recalculated the Title II and Title XVI CDR full medical reviews summary data for\n       FY 2004 and compared it to the State Agency Operations Report as of\n       September 24, 2004.\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                 B-2\n\x0c                                                                                                                                           Appendix C\n\nFlowchart of Supplemental Security Income\n(SSI) Non-Disability Redeterminations\n S ch ed u led R ed eterm in atio n s\n\n  F ie ld O ffice (F O )\n  h a n dle h igh -error                                 R Z d a ta is e nte red in\npro file a n d W B D O C                                        M od e rn ize d\n   e xclu sion ca ses                                   S u p p lem en ta l S ecu rity          A\nth rou g h fa ce-to -fa ce                                   In co m e C laim s\n     or tele p h on e                                     S yste m (M S S IC S ).\n        in te rview .\n\n\n\n\n            B\n\n\n\n\n      M ailers\n\n  M a ile r fo rm s a re                                         Yes\n   re turn ed to th e\n                                          Is th e fo rm\n    W B D O C a nd\n                                          co m p le te?\n m an u a lly re vie w ed\n for co m p le te n ess.\n\n                                                          No\n                                                                                                            T h e m a iler reco rd\n                                                                       M aile rs are sca n ne d an d        is so rte d into o ne\n                                            W BDOC\n                                                                         re view e d th rou g h a n         of five cate g orie s:\n                                     e m p lo yee s follo w -\n                                                                       e xcep tio n lo g ic pro cess             a u to m ate d\n                                     up if an y a dd itio na l\n                                                                           th a t co m p a re s th e         co m p le tio n , tw o\n                                      ke y in form a tio n is\n                                                                       an sw ers o n th e m ailer to         W B D O C a ction s\n                                       n ee d e d from th e\n                                                                           th e S u p ple m en ta l             a n d tw o F O\n                                             m a iler.\n                                                                       S e curity R eco rd (S S R ).               a ction s.\n\n\n\n\n                                                                                                            W B D O C a nd F O             C o m p le tion\n                                                                                                               fo llo w -up o n               da ta is\n                                                                                                            ad d ition a l actio n s        po sted to       A\n                                                                                                                 n e ed e d to                  th e\n                                                                                                              co m p lete R Z .             M S S IC S .\n\n\n\n\n                                                                                                                      B\n\nU n sch ed u le d R e d e te rm in atio n s\n\n\n E ve nts su ch a s the d ea th\n o f an e ligib le spo u se a n d                   F O use form S S A -8 2 03 -                    R Z da ta is\n th e e ffectu atio n of ce rta in                      B K or M S S IC S to                        e n tere d in                      A\n     ap p e llate d ecisio n s                           co nd u ct th e R Z .                      M S S IC S .\n trig ge r un sche d u led R Z s.\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                                                                                          C-1\n\x0cFlowchart of Supplemental Security Income\n(SSI) Non-Disability Redeterminations (cont.)\n                 Supplemental\n                Security Income\n                 (SSI) Update\n                System updates\n               SSR with RZ case\n                  data daily.\n\n\n  A\n\n                  SSI Update                             When a\n                System updates                       redetermination\n               Post-Entitlement                     is processed, the\n               Operational Data                      case is updated\n                Store (PEODS)                        and considered\n               with RZ case data                    \xe2\x80\x9ccomplete\xe2\x80\x9d in the\n                     daily.                              PE ODS.\n\n\n\n\n               This information is\n                                             Office of Earning, Enumerations\n               processed daily in\n                                               and Administrative Systems\n                  the Title XVI\n                                                   (OEEAS) checks the\n                Datawarehouse\n                                              transaction count of the data\n                and available to\n                                                received from PEODS for\n                  users every\n                                                      completeness.\n                    Monday.\n\n\n\n\n         A report called Redetermination\n        Service Delivery Objective Report\n          (RZSDO) is run by Division of\n           Cost Analysis (DCA) monthly                      DCA reviews the\n        which displays the information for                 information along\n          the pm weekly or monthly and                     with the Regional\n             keeps totals of RZ cases                       Office (RO) and\n            available, completed, and                         FO users for\n                     pending.                                  accuracy.\n\n\n\n\n             Performance Indicator\n              results are shown on\n             RZSDO and are sent to\n                Office of Strategic\n              Management (OSM).\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)            C-2\n\x0c2004 Process Flowchart Narrative\nSupplemental Security Income (SSI) Non-Disability Redeterminations\n     Scheduled Redeterminations\n  \xe2\x80\xa2 Claims representatives at the FOs typically handle high-error profile\n     redeterminations through face-to-face or telephone interviews.\n  \xe2\x80\xa2 The updated information is input via on-line entry to the MSSICS.\n  \xe2\x80\xa2 The SSR is updated by overnight batch processing and the information is\n     transferred using the SSI Update System to PEODS.\n     Mailers\n  \xe2\x80\xa2 WBDOC conducts redeterminations that have low-error profiles using computer\n     generated mail-out forms to be completed and returned by the beneficiaries.\n  \xe2\x80\xa2 Forms are manually reviewed for completeness.\n  \xe2\x80\xa2 Incomplete forms are followed up by WBDOC employees.\n  \xe2\x80\xa2 Mailers are scanned and reviewed through an exception logic process that\n     compares the answers on the mailer to the SSR.\n  \xe2\x80\xa2 The mailer record is sorted into one of five categories: automated completion,\n     two WBDOC actions and two FO actions.\n  \xe2\x80\xa2 WBDOC and FO follow up on additional actions needed to complete RZ.\n  \xe2\x80\xa2 If a complication develops in the case, the case is transferred to the servicing\n     FO.\n  \xe2\x80\xa2 If \xe2\x80\x9cno change\xe2\x80\x9d is indicated, a completion indicator is posted to the SSR.\n  \xe2\x80\xa2 The SSR is updated by overnight batch processing and the information is\n     transferred using the SSI Update System to PEODS.\n     Unscheduled Redeterminations\n  \xe2\x80\xa2 Events such as the death of an eligible spouse and the effectuation of certain\n     appellate decisions trigger unscheduled RZs.\n  \xe2\x80\xa2 FO uses form SSA-8203-BK or MSSICS to conduct the RZ similar to a scheduled\n     RZ.\n  \xe2\x80\xa2 The updated information is input via on-line entry to the MSSICS.\n  \xe2\x80\xa2 The SSR is updated by overnight batch processing and the information is\n     transferred using the SSI Update System to PEODS.\n  \xe2\x80\xa2 The entered cases, identified by SSNs, are considered receipts in the PEODS.\n  \xe2\x80\xa2 When the processing of a redetermination is done and updated by the FO in\n     MSSICS, a completion count is taken.\n  \xe2\x80\xa2 PEODS redetermination data are updated automatically once a week.\n  \xe2\x80\xa2 The information is processed daily in the Title XVI Datawarehouse and available\n     to users every Monday.\n  \xe2\x80\xa2 Once a month, the DCA reviews the redetermination data on the RZ SDO Report\n     and sends the completion data to the Office of Strategic Management (OSM),\n     which is reported at year-end in SSA\xe2\x80\x99s PAR.\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)             C-3\n\x0cFlowchart of Periodic Continuing Disability\nReviews (CDR) Processed\n         Full Medical Review CDRs\n\n                               Findings are\n   Cases forwarded             inputted into                                          Medical CDRs are                          Total CDRs less\n                                                          Data transferred\n      to Disability           National DDS                                            posted on monthly                          the number of\n                                                          from NDDSS to\n    Determination                 System                                                State Agency                            recorded cases\n                                                             Disability\n   Services (DDS)              (NDDSS) to                                             Operations Report                       that are work issue\n                                                          Operational Data\n    from the FO to           report outcome                                           (SAOR) produced                          CDRs equals the\n                                                          Store (DIODS).\n   perform medical            \xe2\x80\x9ccontinuance\xe2\x80\x9d,                                            from DIODS.                            Periodic Medical\n     adjudication.                  and                                                                                        CDRs processed.\n                                \xe2\x80\x9dcessation.\xe2\x80\x9d\n\n\n          A              Update of decision and\n                                                                                                                              The performance\n                        completion date posted to\n                                                                                                                                 measure is\n                      Supplemental Security Record\n                                                                                                                              reported monthly\n                        (SSR)/ Master Beneficiary\n                                                                                                                                  to OSM.\n                            Record (MBR).\n\n\n\n        CDR Mailers\n                                                                                                  Update of mailer                    B\n                                                                                                     data and\n                                                                                                   determination\n Mailer forms are                                                                                  result to SSR/\n  returned to the                                   Yes                                                MBR.\n                               Is the form\n   WBDOC and\n                               complete?\nmanually reviewed\nfor completeness.\n                                                                                           The mailer data is processed\n                                         No                                                through decision logic at the\n                                                                                               Central Office and a\n                                                                                                                                       Alerts are\n                                WBDOC                                                     determination is made as either\n                                                            Mailer goes through a                                                    generated for\n                          employees follow-                                                deferred, full medical review,\n                                                            scanning process at                                                    cases marked for   A\n                          up if any additional                                            Processing Center (PC) review.\n                                                                the WBDOC.                                                           a full medical\n                           key information is                                                (PC review can make the\n                                                                                                                                        review.\n                            needed from the                                                 determination to defer, full\n                                 mailer.                                                  medical review, or administrative\n                                                                                                      closure).\n\n\n\n          The data is pulled\n          monthly from the\n         Office of Continuing                                                          The OCDRS CDR                    PC makes the\n                                                    OCDRS CDR\n          Disability Review                                                         Tracking file queries the         determination that\n                                                   Tracking File is\n         Support (OCDRS)                                                             Disability Control File             the case is a\n                                                 updated with deferral\n         CDR Tracking Files                                                          (DCF) for PC Review                 deferral and\n                                                     mailer data.\n         using a FOCEXEC                                                                   deferrals.                 updates the DCF.\n               program.\n\n\n\n                                             The sections of the\n            CDR Mailer                        report are totaled\n          Deferral Report is                  on an excel sheet                                                                Periodic CDRs\n              created.                                                       B                                                    Processed\n                                               and reported to\n                                                OSM monthly.                                                                  calculation = total\n                                                                                                                                medical CDRs\n                                                                                                  B\n                                                                                                                              processed + CDR\n                                                                                                                                mailer cases\n                                                                                                                                 recorded as\n                                                                                                                                   deferred\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                                                                                   C-4\n\x0c2004 Process Flowchart Narrative\nPeriodic Continuing Disability Reviews (CDR) Processed\n      Full Medical Reviews\n   \xe2\x80\xa2 FOs forward the cases to the State Disability Determination Services (DDS) to\n      perform the medical adjudication.\n   \xe2\x80\xa2 Once a determination is made by the DDS, the findings are input into the NDDSS\n      to report the outcome, either \xe2\x80\x9ccontinuance,\xe2\x80\x9d \xe2\x80\x9ccessation,\xe2\x80\x9d or \xe2\x80\x9cno decision\xe2\x80\x9d in the\n      event of an administrative closure.\n   \xe2\x80\xa2 The data is transferred from the NDDSS to DIODS.\n   \xe2\x80\xa2 The medical CDRs are posted monthly on a SAOR year-to-date report, which is\n      produced from the DIODS.\n   \xe2\x80\xa2 The information, available weekly but reported monthly to the Commissioner\xe2\x80\x99s\n      Tracking Report, is used to calculate the performance indicator. The total\n      recorded CDRs less the number of recorded cases that are work issue CDRs\n      equals the number of reported medical CDRs processed.\n      CDR Mailers\n   \xe2\x80\xa2 Once a scannable mailer is received by the WBDOC, there is a preliminary\n      screening for completeness.\n   \xe2\x80\xa2 Incomplete forms are followed up by WBDOC employees.\n   \xe2\x80\xa2 The mailer form is both scanned by equipment using optical character\n      recognition and physically input/keyed to create a data file.\n   \xe2\x80\xa2 The data file is transmitted to National Computer Center (NCC) at the Central\n      Office. NCC formats and names the file that is then passed along to OCDRS.\n   \xe2\x80\xa2 OCDRS processes the data through decision-logic. The decision logic considers\n      the beneficiary\xe2\x80\x99s mailer responses together with the profile score signifying high,\n      middle, or low likelihood of cessation due to medical improvement. The possible\n      outcomes are either deferred, full medical review, administrative closure or\n      Processing Center (PC) review.\n   \xe2\x80\xa2 ODD makes the appropriate input to update the DCF to reflect the results of\n      decision logic processing.\n   \xe2\x80\xa2 PC can make a determination to defer or full medical review, or administrative\n      closure.\n   \xe2\x80\xa2 The OCDRS CDR Tracking file queries the DCF for PC Review deferrals.\n   \xe2\x80\xa2 OCDRS CDR Tracking File is updated with deferral mailer data.\n   \xe2\x80\xa2 The performance indicator data is pulled monthly from the OCDRS CDR\n      Tracking Files using a FOCEXEC program.\n   \xe2\x80\xa2 CDR Mailer Deferral Report is created.\n   \xe2\x80\xa2 The sections of the report are totaled on an EXCEL spreadsheet and reported to\n      OSM monthly.\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                  C-5\n\x0c                                                                      Appendix D\n\n   Agency Comments\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)\n\x0c                                          SOCIAL SECURITY\n\nMEMORANDUM                                                                       34314-24-1351\n\n\n              August 17, 2005                                                    Refer To: S1J-3\n\nTo:           Patrick P. O\'Carroll, Jr.\n              Inspector General\n\nFrom:         Larry W. Dye /s/\n              Chief of Staff\n\nSubject:      Office of the Inspector General (OIG) Draft Report, "Performance Indicator Audit:\n              Continuing Eligibility" (A-15-05-15115)--INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report\xe2\x80\x99s\n           recommendations are attached.\n\n           Please let me know if you have any questions. Staff inquiries may be directed to\n           Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n           Performance Indicator Audit: Continuing Eligibility (A-15-05-15115)                         D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n"PERFORMANCE INDICATOR AUDIT: CONTINUING ELIGIBLITY" (A-15-05-15115)\n\n\nThank you for the opportunity to review and comment on the draft report. We would like to\nemphasize that as stated in the report, PricewaterhouseCoopers (PwC) did not identify any\nsignificant exceptions related to the accuracy of presentation or disclosure of the information\nrelated to the performance indicators discussed below that are contained in the Performance and\nAccountability Report (PAR). Therefore, SSA considers the audited data used to calculate the\nperformance indicators as accurate.\n\nOur responses to the specific recommendations are provided below.\n\nRecommendations specific to performance indicator, \xe2\x80\x9cSSI Non-Disability Redeterminations\xe2\x80\x9d\n\nRecommendation 1\n\nEnsure that Title XVI Datawarehouse UNIX system is configured to be in compliance with the\nSSA Risk Model and Government guidelines from National Institute of Standards and\nTechnology (NIST) and Defense Information Systems Agency (DISA)\n\nResponse\n\nWe agree with the intent of the recommendation, but not its breadth.\n\nConcerning PwC\xe2\x80\x99s finding that the Title XVI Datawarehouse was non-compliant with settings in\nthe risk model; we concur and have already taken corrective action.\n\nAlthough SSA reviews NIST and DISA guidelines when updating each operating system Risk\nModel, full adoption of the guidelines would adversely affect the Agency\xe2\x80\x99s ability to conduct its\ncore business under the current Information Technology (IT) environment. Moreover, the\nrecommendations made are frequently not applicable to SSA\xe2\x80\x99s systems environment because we\neither do not utilize the specific components of the operating system discussed in these\ndocuments or because SSA is using that component in a manner different than that envisioned by\nNIST or DISA.\n\nIt would be inappropriate for the Agency to state we are in full compliance with these guidelines\nfor the reasons stated above. However, the Agency has implemented the guidelines where they\nare applicable to our processing environment. We believe our configuration management\nprogram affords the Agency the best possible protections while also supporting our core business\nprocesses.\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                          D-2\n\x0cRecommendation 2\n\nEnsure that Title XVI Datawarehouse Oracle database is configured to be in compliance with\nSSA Security Handbook.\n\nResponse\n\nWe cannot agree or disagree with this recommendation as the SSA Security handbook does not\ncontain database configuration standards. However, SSA\xe2\x80\x99s Office of Systems has established\nconfiguration standards for ORACLE using a risk-based approach that targets known\nweaknesses with current ORACLE configurations. As appropriate, the results of routine analysis\nof emerging industry best practices and applicable NIST guidance will be included in future\niterations of our configuration guide. As with all our configuration standards, compliance\nmonitoring continues on an ongoing basis.\n\nRecommendation 3\n\nCreate a risk model for the Oracle database that is in compliance with SSA Security Handbook\nand Government guidelines.\n\nResponse\n\nWe disagree. Agency practice for risk models targets operating systems, not databases. Every\noperating system permitted on the Agency\xe2\x80\x99s network is required to have a risk model that is\npublished and updated with an established frequency--no less than annually--in accordance with\nFederal sector requirements and guidelines, as adopted by SSA. Oracle databases reside on\noperating systems for which risk models exist. As noted in the response to recommendation 2,\nORACLE databases have documented configuration standards that are monitored for\ncompliance. We will consider formalizing our practice by including it in future policy updates.\n\nRecommendation specific to performance indicator, \xe2\x80\x9cPeriodic Continuing Disability Reviews\nProcessed\xe2\x80\x9d\n\nRecommendation 4\n\nMaintain the detailed data used to calculate the performance indicator results that are reported in\nthe Performance and Accountability Report (PAR) or provide alternate means to ensure that the\ndata is auditable.\n\nResponse\n\nWe disagree. Although the report indicates system capacity is a compelling factor for not\nmaintaining data for tracing data integrity, the diversion of already limited resources to support\nsuch activity is another compelling factor. Satisfying this recommendation would require SSA to\npreserve and maintain, among other things, data transactions, source code, multiple versions of\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                            D-3\n\x0csoftware and the operating system in use during the potential audit review period. Staff would\nthen need to be available to reconstruct all this to support an audit. The magnitude of such an\neffort would seriously impede work to implement new information technology-supported\nprocesses that support SSA programs and its clients. We have recommended to OIG and PwC\nrepresentatives that they take advantage of real-time auditing, and they agreed to explore such an\noption for subsequent fiscal year audits.\n\nConcerning other indicators, OIG and PwC staff expressed they believe some existing indicators\nonly require the retention of summary data to meet the audit requirement. In these cases\narchiving only summary data for each fiscal year would be sufficient to meet PwC/OIG\xe2\x80\x99s needs.\nAlthough this approach won\xe2\x80\x99t address this particular indicator, Office of Systems staff will work\nwith indicator sponsors, the Office of Strategic Management (OSM) and PwC/OIG staff to\nidentify those indicators and determine the best storage options for archiving summary data.\nThis activity addresses the portion of the report that states that SSA is exploring alternatives to\nsupport auditors\xe2\x80\x99 needs.\n\n\n\n\nPerformance Indicator Audit: Continuing Eligibility (A-15-05-15115)                            D-4\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'